EU General Data Protection Regulation (GDPR): New rules across the EU
What is the GDPR?
Earlier this year, the European Council adopted the General Data Protection Regulation (‘GDPR’) in a bid to reform the current data protection laws among EU Member States. As the law stands today, all Member States have their own legislations regulating data protection, guided only by a Data Protection Directive (‘DPD’) which has been in place since 1995. Because this instrument was a directive and not a regulation, Member States were free in the way they choose to implement the rules as long as the main principles remained upheld.
The DPD was a step in the right direction; however, it resulted in discrepancies among Member States, which created inconsistencies and legal uncertainty. Moreover, given that the DPD was drafted in 1995, it has not managed to keep up with changes brought out by the digital age. Data protection laws nowadays have to exist in a reality of monitoring through social networking, location-based services, CCTVs and so on.
For all these reasons, the European Commission decided to publish a new framework regulation for data protection laws. The GDPR will come into force on 25th May 2018, and it will repeal and replace the DPD without the need for transposition into the laws of Member States.
By now, the majority of people have heard of this new regulation, and one might be asking why so much concern is being raised over a seemingly ordinary regulatory advancement. The reason behind this apprehension is that the GDPR has introduced new rights for data subjects, with corresponding onerous obligations on data controllers and data processors. (A data controller is defined as a natural or legal person who determines the purposes and means of the processing of the personal data, and a data processor is defined as a natural or legal person who processes personal data on behalf of the controller. It is possible to be both a data controller (for example with regards to employee data) and a data processor (providing services of data processing to other organisations). Obligations under the GDPR differ between data controllers and data processors.)
The GDPR has also increased the threshold for potential fines, whilst also retaining the right of the data subject to sue for damages and introducing the right to sue for moral damages. Moreover, the GDPR is no longer limited to data processing within the EU but now applies also to the processing of data by organizations established outside of the EU if they offer goods or services to, or monitor the behaviour of, data subjects in the EU.
The main new rights pertaining to data subjects under the GDPR are the ‘right to be forgotten’ and the ‘right to data portability’. Other rights already existing under the DPD have also been enhanced.
The right to be forgotten has strengthened the right of the data subject to request that his/her data is erased, although this right may be limited in certain cases such as when the processing is required for compliance with a legal obligation.
The right to data portability is an entirely novel concept introduced by the GDPR whereby if the processing of personal data is based on consent or on the necessity for the performance of a contract, or if the processing is carried out by automated means, then the data subjects may request a copy of his/her data in a structured, commonly used and machine-readable format, or for the data to be transferred to a third party which may even be a competitor of the data controller.
As seen above, data controllers will need to comply with more onerous obligations. The moment data is collected, the data subject must be provided with information relating to the data such as the contact details of the controller, the purposes of the processing and the recipients of the data.
The controller must also ensure that the data is being collected on the basis of a legal ground. Collecting data solely on the basis of consent is no longer an ideal option, because of the increased regulations regarding how consent is to be constituted, and also due to the new right of data subjects to withdraw their consent at any time. The GDPR ensures that ‘it shall be as easy to withdraw as to give consent’.
Even more stringent obligations exist with regards to the processing of highly sensitive data, such as genetic data and biometric data. As a rule, the processing of such data is prohibited; however, it may be permissible albeit subject to very restrictive rules.
The GDPR also introduced a new requirement for public authorities, organizations whose core activities require them to conduct regular and systematic monitoring of data subjects on a large scale, and organizations who process sensitive data on a large scale. Such organizations must appoint a Data Protection Officer (‘DPO’), a person with ‘expert knowledge of data protection laws and practices’, either as an employee within the organization itself, or outsourced from a service provider. In either case, the organization has to ensure that the DPO is in a position to perform his/her duties in an independent manner. The tasks and responsibilities of the DPO are set out in detail in the GDPR. If an organization for which the appointment of a DPO is not mandatory wishes to employ a DPO nonetheless, then such appointment must still conform to the regulations as set out in the GDPR.
With the introduction of the GDPR, there has been a shift for increased accountability which has also been extended to the data processor in addition to the data controller. In other words, both the data controller and the data processor may now be found directly liable for breach of the GDPR. It is therefore important for the controller and the processor to keep a record containing matters such as contact details, purposes of processing data and a description of processing. Processing on a large scale which is likely to pose a high risk to the rights and freedoms of the data subject also requires the carrying out of a data protection impact assessment prior to the commencement of the processing.
Another novel obligation on data controllers and data processors under the GDPR is to report data breaches. Every day, over 5,000,000 records worldwide containing data are lost or stolen. If a breach occurs, the data processor must notify the data controller and in certain cases, depending on the gravity of the breach, the data subject. Such notifications must take place without undue delay, and at most within 72 hours of becoming aware of the breach. This means constant monitoring is required, and organizations should also ensure that their systems are secure and protected from unauthorized access to minimize the risk of breaches.
The GDPR has also introduced the concept of ‘privacy by design’ and ‘privacy by default’, which should be incorporated into every single system and internal policy. Technical and organizational measures such as pseudonymisation (making data not attributable to a specific data subject without the use of additional information kept separate from the data) and data minimization (collecting only the bare minimum data necessary and anonymizing data where possible) should be implemented.
The GDPR has made it possible to demonstrate an organization’s compliance with the regulation by obtaining certification, seals and marks which will be issued by specially designated certification bodies. When this mechanism comes into force, organizations will be able to apply voluntarily in order to show that they adhere to the GDPR. Naturally, obtaining such certification does not diminish the responsibility of the organization to maintain compliance with the GDPR.
How can ECOVIS help you?
All these new obligations may seem overwhelming to organizations needing to comply with the GDPR by 25th May 2018. ECOVIS Malta can assist your organization by providing the right legal and technical advice and assistance throughout this process. Our legal team can draft privacy policies and other T&Cs for your organization and offer advice regarding DPOs and other staff members, whilst our IT team can help your organization with data mapping (locating your data collection sources, such as physical forms, contracts, location data and CCTV, and your data storage locations, such as folders, e-mails, pen-drives and the cloud), developing the correct mechanisms to protect and secure your data, restricting access to data within departments, pseudonymising data, implementing audit trails, as well as setting up of data registers and breach registers. For further information, contact ECOVIS Malta on firstname.lastname@example.org.
The content provided above is for general informational purposes only and does not constitute legal advice. ECOVIS Malta and/or any of its employees shall not be held liable for any damage suffered by the user through the access to, use, or reliance of information in this article or on our website. Should you require any assistance please contact our legal department.